x86: Fix buffer overead in mc put

For w <= 32 we can't process more than two rows per loop iteration. Credit to OSS-Fuzz.
videolan · Sep 5, 2019 · 69dae68 · 69dae68
1 parent a9315f5
commit 69dae68
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 31 deletions.
diff --git a/src/x86/mc.asm b/src/x86/mc.asm
@@ -170,8 +170,6 @@ cglobal put_bilin, 4, 8, 0, dst, ds, src, ss, w, h, mxy
 .put:
     movzx                wd, word [t2+wq*2+table_offset(put,)]
     add                  wq, t2
-    lea                  t1, [ssq*3]
-    lea                  t2, [dsq*3]
     jmp                  wq
 .put_w2:
     movzx               t0d, word [srcq+ssq*0]
@@ -194,42 +192,34 @@ cglobal put_bilin, 4, 8, 0, dst, ds, src, ss, w, h, mxy
     jg .put_w4
     RET
 .put_w8:
-    movq                 m0, [srcq+ssq*0]
-    movq                 m1, [srcq+ssq*1]
+    mov                  t0, [srcq+ssq*0]
+    mov                  t1, [srcq+ssq*1]
     lea                srcq, [srcq+ssq*2]
-    movq       [dstq+dsq*0], m0
-    movq       [dstq+dsq*1], m1
+    mov        [dstq+dsq*0], t0
+    mov        [dstq+dsq*1], t1
     lea                dstq, [dstq+dsq*2]
     sub                  hd, 2
     jg .put_w8
     RET
 .put_w16:
     movu                 m0, [srcq+ssq*0]
     movu                 m1, [srcq+ssq*1]
-    movu                 m2, [srcq+ssq*2]
-    movu                 m3, [srcq+t1   ]
-    lea                srcq, [srcq+ssq*4]
+    lea                srcq, [srcq+ssq*2]
     mova       [dstq+dsq*0], m0
     mova       [dstq+dsq*1], m1
-    mova       [dstq+dsq*2], m2
-    mova       [dstq+t2   ], m3
-    lea                dstq, [dstq+dsq*4]
-    sub                  hd, 4
+    lea                dstq, [dstq+dsq*2]
+    sub                  hd, 2
     jg .put_w16
     RET
 INIT_YMM avx2
 .put_w32:
     movu                 m0, [srcq+ssq*0]
     movu                 m1, [srcq+ssq*1]
-    movu                 m2, [srcq+ssq*2]
-    movu                 m3, [srcq+t1   ]
-    lea                srcq, [srcq+ssq*4]
+    lea                srcq, [srcq+ssq*2]
     mova       [dstq+dsq*0], m0
     mova       [dstq+dsq*1], m1
-    mova       [dstq+dsq*2], m2
-    mova       [dstq+t2   ], m3
-    lea                dstq, [dstq+dsq*4]
-    sub                  hd, 4
+    lea                dstq, [dstq+dsq*2]
+    sub                  hd, 2
     jg .put_w32
     RET
 .put_w64:

diff --git a/src/x86/mc_ssse3.asm b/src/x86/mc_ssse3.asm
@@ -177,7 +177,6 @@ cglobal put_bilin, 4, 8, 0, dst, ds, src, ss, w, h, mxy, bak
 .put:
     movzx                wd, word [t0+wq*2+table_offset(put,)]
     add                  wq, t0
-    lea                  r6, [ssq*3]
     RESTORE_DSQ_32       t0
     jmp                  wq
 .put_w2:
@@ -211,20 +210,14 @@ cglobal put_bilin, 4, 8, 0, dst, ds, src, ss, w, h, mxy, bak
     jg .put_w8
     RET
 .put_w16:
-    lea                  r4, [dsq*3]
-.put_w16_in:
     movu                 m0, [srcq+ssq*0]
     movu                 m1, [srcq+ssq*1]
-    movu                 m2, [srcq+ssq*2]
-    movu                 m3, [srcq+r6   ]
-    lea                srcq, [srcq+ssq*4]
+    lea                srcq, [srcq+ssq*2]
     mova       [dstq+dsq*0], m0
     mova       [dstq+dsq*1], m1
-    mova       [dstq+dsq*2], m2
-    mova       [dstq+r4   ], m3
-    lea                dstq, [dstq+dsq*4]
-    sub                  hd, 4
-    jg .put_w16_in
+    lea                dstq, [dstq+dsq*2]
+    sub                  hd, 2
+    jg .put_w16
     RET
 .put_w32:
     movu                 m0, [srcq+ssq*0+16*0]